1 files changed, 159 insertions, 47 deletions
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index fbc73e0e42..bf0333ba8d 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -30,10 +30,10 @@
 	 lookup_trusted_cert/4,
 	 new_session_id/1, clean_cert_db/2,
 	 register_session/2, register_session/3, invalidate_session/2,
-	 invalidate_session/3, clear_pem_cache/0, manager_name/1]).
+	 invalidate_session/3, invalidate_pem/1, clear_pem_cache/0, manager_name/1]).
 
 % Spawn export
--export([init_session_validator/1]).
+-export([init_session_validator/1, init_pem_cache_validator/1]).
 
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
@@ -44,16 +44,19 @@
 -include_lib("kernel/include/file.hrl").
 
 -record(state, {
-	  session_cache,
+	  session_cache_client,
+	  session_cache_server,
 	  session_cache_cb,
 	  session_lifetime,
 	  certificate_db,
 	  session_validation_timer,
-	  last_delay_timer  = {undefined, undefined}%% Keep for testing purposes
+	  last_delay_timer  = {undefined, undefined},%% Keep for testing purposes
+	  last_pem_check,
+	  clear_pem_cache 
 	 }).
 
--define('24H_in_msec', 8640000).
--define('24H_in_sec', 8640).
+-define('24H_in_msec', 86400000).
+-define('24H_in_sec', 86400).
 -define(GEN_UNIQUE_ID_MAX_TRIES, 10).
 -define(SESSION_VALIDATION_INTERVAL, 60000).
 -define(CLEAR_PEM_CACHE, 120000).
@@ -117,14 +120,13 @@ connection_init(Trustedcerts, Role) ->
 %% Description: Cache a pem file and return its content.
 %%--------------------------------------------------------------------
 cache_pem_file(File, DbHandle) ->
-    MD5 = crypto:hash(md5, File),
-    case ssl_pkix_db:lookup_cached_pem(DbHandle, MD5) of
+    case ssl_pkix_db:lookup_cached_pem(DbHandle, File) of
 	[{Content,_}] ->
 	    {ok, Content};
 	[Content] ->
 	   {ok, Content};
 	undefined ->
-	    call({cache_pem, {MD5, File}})
+	    call({cache_pem, File})
     end.
 
 %%--------------------------------------------------------------------
@@ -191,6 +193,11 @@ invalidate_session(Host, Port, Session) ->
 invalidate_session(Port, Session) ->
     cast({invalidate_session, Port, Session}).
 
+
+-spec invalidate_pem(File::binary()) -> ok.
+invalidate_pem(File) ->
+    cast({invalidate_pem, File}).
+
 %%====================================================================
 %% gen_server callbacks
 %%====================================================================
@@ -209,15 +216,23 @@ init([Name, Opts]) ->
     SessionLifeTime =  
 	proplists:get_value(session_lifetime, Opts, ?'24H_in_sec'),
     CertDb = ssl_pkix_db:create(),
-    SessionCache = CacheCb:init(proplists:get_value(session_cb_init_args, Opts, [])),
+    ClientSessionCache = CacheCb:init([{role, client} | 
+				       proplists:get_value(session_cb_init_args, Opts, [])]),
+    ServerSessionCache = CacheCb:init([{role, server} | 
+				       proplists:get_value(session_cb_init_args, Opts, [])]),
     Timer = erlang:send_after(SessionLifeTime * 1000 + 5000, 
 			      self(), validate_sessions),
-    erlang:send_after(?CLEAR_PEM_CACHE, self(), clear_pem_cache),
+    Interval = pem_check_interval(),
+    erlang:send_after(Interval, self(), clear_pem_cache),
     {ok, #state{certificate_db = CertDb,
-		session_cache = SessionCache,
+		session_cache_client = ClientSessionCache,
+		session_cache_server = ServerSessionCache,
 		session_cache_cb = CacheCb,
 		session_lifetime = SessionLifeTime,
-		session_validation_timer = Timer}}.
+		session_validation_timer = Timer,
+		last_pem_check =  os:timestamp(),
+		clear_pem_cache = Interval 	
+	       }}.
 
 %%--------------------------------------------------------------------
 -spec handle_call(msg(), from(), #state{}) -> {reply, reply(), #state{}}. 
@@ -230,15 +245,32 @@ init([Name, Opts]) ->
 %%
 %% Description: Handling call messages
 %%--------------------------------------------------------------------
-handle_call({{connection_init, <<>>, _Role}, _Pid}, _From,
+handle_call({{connection_init, <<>>, client}, _Pid}, _From,
+	    #state{certificate_db = [CertDb, FileRefDb, PemChace],
+		   session_cache_client = Cache} = State) ->
+    Result = {ok, make_ref(),CertDb, FileRefDb, PemChace, Cache},
+    {reply, Result, State};
+handle_call({{connection_init, <<>>, server}, _Pid}, _From,
 	    #state{certificate_db = [CertDb, FileRefDb, PemChace],
-		   session_cache = Cache} = State) ->
+		   session_cache_server = Cache} = State) ->
     Result = {ok, make_ref(),CertDb, FileRefDb, PemChace, Cache},
     {reply, Result, State};
 
-handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From,
+handle_call({{connection_init, Trustedcerts, client}, Pid}, _From,
+	    #state{certificate_db = [CertDb, FileRefDb, PemChace] = Db,
+		   session_cache_client = Cache} = State) ->
+    Result = 
+	try
+	    {ok, Ref} = ssl_pkix_db:add_trusted_certs(Pid, Trustedcerts, Db),
+	    {ok, Ref, CertDb, FileRefDb, PemChace, Cache}
+	catch
+	    _:Reason ->
+		{error, Reason}
+	end,
+    {reply, Result, State};
+handle_call({{connection_init, Trustedcerts, server}, Pid}, _From,
 	    #state{certificate_db = [CertDb, FileRefDb, PemChace] = Db,
-		   session_cache = Cache} = State) ->
+		   session_cache_server = Cache} = State) ->
     Result = 
 	try
 	    {ok, Ref} = ssl_pkix_db:add_trusted_certs(Pid, Trustedcerts, Db),
@@ -249,14 +281,15 @@ handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From,
 	end,
     {reply, Result, State};
 
+
 handle_call({{new_session_id,Port}, _},
 	    _, #state{session_cache_cb = CacheCb,
-		      session_cache = Cache} = State) ->
+		      session_cache_server = Cache} = State) ->
     Id = new_id(Port, ?GEN_UNIQUE_ID_MAX_TRIES, Cache, CacheCb),
     {reply, Id, State};
 
 
-handle_call({{cache_pem, File}, _Pid}, _,
+handle_call({{cache_pem,File}, _Pid}, _,
 	    #state{certificate_db = Db} = State) ->
     try ssl_pkix_db:cache_pem_file(File, Db) of
 	Result ->
@@ -278,16 +311,22 @@ handle_call({unconditionally_clear_pem_cache, _},_, #state{certificate_db = [_,_
 %% Description: Handling cast messages
 %%--------------------------------------------------------------------
 handle_cast({register_session, Host, Port, Session}, 
-	    #state{session_cache = Cache,
+	    #state{session_cache_client = Cache,
 		   session_cache_cb = CacheCb} = State) ->
     TimeStamp = calendar:datetime_to_gregorian_seconds({date(), time()}),
     NewSession = Session#session{time_stamp = TimeStamp},
-    CacheCb:update(Cache, {{Host, Port}, 
-		   NewSession#session.session_id}, NewSession),
+    
+    case CacheCb:select_session(Cache, {Host, Port}) of
+	no_session ->
+	    CacheCb:update(Cache, {{Host, Port}, 
+				   NewSession#session.session_id}, NewSession);
+	Sessions ->
+	    register_unique_session(Sessions, NewSession, CacheCb, Cache, {Host, Port})
+    end,
     {noreply, State};
 
 handle_cast({register_session, Port, Session},  
-	    #state{session_cache = Cache,
+	    #state{session_cache_server = Cache,
 		   session_cache_cb = CacheCb} = State) ->    
     TimeStamp = calendar:datetime_to_gregorian_seconds({date(), time()}),
     NewSession = Session#session{time_stamp = TimeStamp},
@@ -296,14 +335,19 @@ handle_cast({register_session, Port, Session},
 
 handle_cast({invalidate_session, Host, Port,
 	     #session{session_id = ID} = Session},
-	    #state{session_cache = Cache,
+	    #state{session_cache_client = Cache,
 		   session_cache_cb = CacheCb} = State) ->
     invalidate_session(Cache, CacheCb, {{Host, Port}, ID}, Session, State);
 
 handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
-	    #state{session_cache = Cache,
+	    #state{session_cache_server = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    invalidate_session(Cache, CacheCb, {Port, ID}, Session, State).
+    invalidate_session(Cache, CacheCb, {Port, ID}, Session, State);
+
+handle_cast({invalidate_pem, File},
+	    #state{certificate_db = [_, _, PemCache]} = State) ->
+    ssl_pkix_db:remove(File, PemCache),
+    {noreply, State}.
 
 %%--------------------------------------------------------------------
 -spec handle_info(msg(), #state{}) -> {noreply, #state{}}.
@@ -314,29 +358,29 @@ handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
 %% Description: Handling all non call/cast messages
 %%-------------------------------------------------------------------
 handle_info(validate_sessions, #state{session_cache_cb = CacheCb,
-				      session_cache = Cache,
+				      session_cache_client = ClientCache,
+				      session_cache_server = ServerCache,
 				      session_lifetime = LifeTime
 				     } = State) ->
     Timer = erlang:send_after(?SESSION_VALIDATION_INTERVAL, 
 			      self(), validate_sessions),
-    start_session_validator(Cache, CacheCb, LifeTime),
+    start_session_validator(ClientCache, CacheCb, LifeTime),
+    start_session_validator(ServerCache, CacheCb, LifeTime),
     {noreply, State#state{session_validation_timer = Timer}};
 
-handle_info({delayed_clean_session, Key}, #state{session_cache = Cache,
-                   session_cache_cb = CacheCb
-                   } = State) ->
+
+handle_info({delayed_clean_session, Key, Cache}, #state{session_cache_cb = CacheCb
+						       } = State) ->
     CacheCb:delete(Cache, Key),
     {noreply, State};
 
-handle_info(clear_pem_cache, #state{certificate_db = [_,_,PemChace]} = State) ->
-    case ssl_pkix_db:db_size(PemChace) of
-	N  when N < ?NOT_TO_BIG ->
-	    ok;
-	_ ->
-	    ssl_pkix_db:clear(PemChace)
-    end,
-    erlang:send_after(?CLEAR_PEM_CACHE, self(), clear_pem_cache),
-    {noreply, State};
+handle_info(clear_pem_cache, #state{certificate_db = [_,_,PemChace],
+				    clear_pem_cache = Interval,
+				    last_pem_check = CheckPoint} = State) ->
+    NewCheckPoint = os:timestamp(),
+    start_pem_cache_validator(PemChace, CheckPoint),
+    erlang:send_after(Interval, self(), clear_pem_cache),
+    {noreply, State#state{last_pem_check = NewCheckPoint}};
 
 
 handle_info({clean_cert_db, Ref, File},
@@ -367,12 +411,14 @@ handle_info(_Info, State) ->
 %% The return value is ignored.
 %%--------------------------------------------------------------------
 terminate(_Reason, #state{certificate_db = Db,
-			  session_cache = SessionCache,
+			  session_cache_client = ClientSessionCache,
+			  session_cache_server = ServerSessionCache,
 			  session_cache_cb = CacheCb,
 			  session_validation_timer = Timer}) ->
     erlang:cancel_timer(Timer),
     ssl_pkix_db:remove(Db),
-    CacheCb:terminate(SessionCache),
+    catch CacheCb:terminate(ClientSessionCache),
+    catch CacheCb:terminate(ServerSessionCache),
     ok.
 
 %%--------------------------------------------------------------------
@@ -445,7 +491,7 @@ invalidate_session(Cache, CacheCb, Key, Session, #state{last_delay_timer = LastT
 	    %% up the session data but new connections should not get to use this session.
 	    CacheCb:update(Cache, Key, Session#session{is_resumable = false}),
 	    TRef =
-		erlang:send_after(delay_time(), self(), {delayed_clean_session, Key}),
+		erlang:send_after(delay_time(), self(), {delayed_clean_session, Key, Cache}),
 	    {noreply, State#state{last_delay_timer = last_delay_timer(Key, TRef, LastTimer)}}
     end.
 
@@ -482,10 +528,9 @@ new_id(Port, Tries, Cache, CacheCb) ->
 clean_cert_db(Ref, CertDb, RefDb, PemCache, File) ->
     case ssl_pkix_db:ref_count(Ref, RefDb, 0) of
 	0 ->	  
-	    MD5 = crypto:hash(md5, File),
-	    case ssl_pkix_db:lookup_cached_pem(PemCache, MD5) of
+	    case ssl_pkix_db:lookup_cached_pem(PemCache, File) of
 		[{Content, Ref}] ->
-		    ssl_pkix_db:insert(MD5, Content, PemCache);		
+		    ssl_pkix_db:insert(File, Content, PemCache);		
 		_ ->
 		    ok
 	    end,
@@ -494,3 +539,70 @@ clean_cert_db(Ref, CertDb, RefDb, PemCache, File) ->
 	_ ->
 	    ok
     end.
+
+%% Do not let dumb clients create a gigantic session table
+%% for itself creating big delays at connection time. 
+register_unique_session(Sessions, Session, CacheCb, Cache, PartialKey) ->
+    case exists_equivalent(Session , Sessions) of
+	true ->
+	    ok;
+	false ->
+	    CacheCb:update(Cache, {PartialKey, 
+				   Session#session.session_id}, Session)
+    end.
+
+exists_equivalent(_, []) ->
+    false;
+exists_equivalent(#session{
+		     peer_certificate = PeerCert,
+		     own_certificate = OwnCert,
+		     compression_method = Compress,
+		     cipher_suite = CipherSuite,
+		     srp_username = SRP,
+		     ecc = ECC} , 
+		  [#session{
+		      peer_certificate = PeerCert,
+		      own_certificate = OwnCert,
+		      compression_method = Compress,
+		      cipher_suite = CipherSuite,
+		      srp_username = SRP,
+		      ecc = ECC} | _]) ->
+    true;
+exists_equivalent(Session, [ _ | Rest]) ->
+    exists_equivalent(Session, Rest).
+
+start_pem_cache_validator(PemCache, CheckPoint) ->
+    spawn_link(?MODULE, init_pem_cache_validator, 
+	       [[get(ssl_manager), PemCache, CheckPoint]]).
+
+init_pem_cache_validator([SslManagerName, PemCache, CheckPoint]) ->
+    put(ssl_manager, SslManagerName),
+    ssl_pkix_db:foldl(fun pem_cache_validate/2,
+		      CheckPoint, PemCache).
+
+pem_cache_validate({File, _}, CheckPoint) ->
+    case file:read_file_info(File, []) of
+	{ok, #file_info{mtime = Time}} ->
+	    case is_before_checkpoint(Time, CheckPoint) of
+		true ->
+		    ok;
+		false ->
+		    invalidate_pem(File)
+	    end;
+	_  ->
+	    invalidate_pem(File)
+    end,
+    CheckPoint.
+
+pem_check_interval() ->
+    case application:get_env(ssl, ssl_pem_cache_clean) of
+	{ok, Interval} when is_integer(Interval) ->
+	    Interval;
+	_  ->
+	    ?CLEAR_PEM_CACHE
+    end.
+	
+is_before_checkpoint(Time, CheckPoint) ->
+    calendar:datetime_to_gregorian_seconds(calendar:now_to_datetime(CheckPoint)) -
+    calendar:datetime_to_gregorian_seconds(Time) > 0.
+